Microsoft’s print nightmare continues with one other instance of how a menace actor can obtain SYSTEM privileges by abusing malicious printer drivers.
Final month, safety researchers unintentionally disclosed a proof-of-concept exploit for the Windows PrintNightmare zero-day.
This vulnerability is tracked as CVE-2021-34527 and is a lacking permission verify within the Home windows Print Spooler that permits for putting in malicious print drivers to realize distant code execution or native privilege escalation on susceptible programs.
Microsoft released an out-of-band KB5004945 security update that was supposed to repair the vulnerability, however safety researchers shortly decided that the patch could possibly be bypassed under certain conditions.
Nonetheless, Microsoft acknowledged that their patches labored as meant, and because the vulnerability was being actively exploited, suggested all Home windows customers to put in the replace.
The print nightmare continues
Yesterday, safety researcher and Mimikatz creator Benjamin Delpy mentioned he discovered a strategy to abuse Home windows’ regular technique of putting in printer drivers to achieve native SYSTEM privileges by means of malicious printer drivers.
This system can be utilized even when admins utilized Microsoft’s recommended mitigations of proscribing printer driver set up to admins and disabling Level and Print.
#printnightmare – Episode 3
that even patched, with default config (or safety enforced with #Microsoft settings), a normal consumer can load drivers as SYSTEM?
— Benjamin Delpy (@gentilkiwi) July 15, 2021
Whereas this new native privilege escalation technique just isn’t the identical because the one generally referred to PrintNightmare, Delpy informed BleepingComputer that he considers related printer driver set up bugs to be categorized underneath the identical identify.
In a dialog with BleepingComputer, Delpy defined that even with mitigations utilized, a menace actor might create a signed malicious print driver package deal and use it to realize SYSTEM privileges on different programs.
To do that, the menace actor would create a malicious print driver and signal it utilizing a trusted Authenticode certificates using these steps
Nonetheless, some menace actors go for the “Rolls Royce” technique of signing drivers, which is to purchase or steal an EV certificates after which submit it for Microsoft WHQL validation as a faux firm.
As soon as they’ve a signed printer driver package deal, a menace actor can set up the motive force on every other networked system the place they’ve administrative privileges.
Menace actors can then use this “pivot” system to achieve SYSTEM privileges on different gadgets the place they don’t have elevated privileges just by putting in the malicious driver, as proven by the video under.
Delpy mentioned that this method could possibly be used to assist menace actors unfold laterally in an already compromised community.
To forestall this assault, you may can disable the print spooler or allow the Level and Print group coverage to restrict the servers a tool can obtain print drivers.
Nonetheless, enabling Level and Print would enable PrintNightmare exploits to bypass the present patch from Microsoft.
When requested how Microsoft might stop the sort of assault, Delpy acknowledged that they tried to forestall it previously by deprecating model 3 printer drivers. Finally, this precipitated issues, and Microsoft ended the v3 deprecation policy in June 2017.
Sadly, this technique will probably not be mounted as Home windows is designed to permit an administrator to put in a printer driver, even ones which may be unknowningly malicious. Moreover, Home windows is designed to permit non-admin customers to put in signed drivers on their gadgets for ease of use.
As a substitute, safety software program will probably be the first protection in opposition to assaults like this by detecting the malicious driver or conduct.
BleepingComputer has contacted Microsoft relating to the problem however has not heard again.